BMOW title
Floppy Emu banner

BMOW on https

padlock

The entire Big Mess o’ Wires site should now be usable via the encrypted https protocol. I had some trouble with this a year ago, when I unintentionally enabled https for the blog and discovered that lots of things broke. At the time, I wasn’t ready to make the effort to fix it all, so I implemented a security-unfriendly solution of redirecting all https requests to plain unencrypted http instead. As of today that’s no longer necessary, which is good news.

The BMOW store has always been https-only, but I never thought the blog section needed https. After all, there are no passwords or financial data or other secrets to protect here. The trouble with enabling https for the blog is the zillions of hard-coded references to http://www.bigmessowires.com in the text of old posts, image URLs, forms, and elsewhere. Http elements in an https page cause the browser to give security warnings, and some features like forms just plain don’t work. Fixing this was much less trouble than I’d feared – it only took one careful search-and-replace operation on the database to fix most of them. Yes I have backups, but I still quadruple-checked my search parameters before bulk-modifying 10+ years of posts.

Why is encrypted https useful for browsing public information, like the contents of the BMOW blog? Depending on your level of paranoia, it’s not. However, if you’re especially concerned about privacy, browsing the blog using https instead of http will provide some extra protection. It will prevent snoopers from seeing exactly what content you’re viewing on the BMOW site, or what you posted in the content forms. They’ll still be able to see that you interacted with bigmessowires.com, but no details about what you did there.

Https also provides more confidence that the content you’re viewing is the same content that the server sent you. With an unencrypted connection, a man-in-the-middle (your ISP, for example) could modify the pages you’re viewing on the fly, inserting extra advertisements or tracking elements or malware. I’m not certain this protection is completely guaranteed, however. While I’m no expert, I’ve read about SSL interception proxies that sit in the middle of an https connection, while making both ends think they’re communicating directly with the other end. Nevertheless, using https for all your web browsing should greatly reduce the risk of this type of tampering.

Read 2 comments and join the conversation 

2 Comments so far

  1. Dillon - April 3rd, 2017 7:01 am

    HTTPS is working, but if you go to http://www.bigmessowires.com, it doesn’t automatically redirect to the HTTPS version. This is definitely something you can configure and I think it’s the behavior that you want.

  2. Steve - April 3rd, 2017 9:43 am

    Yes, good point. I’ve been holding off on that until I was confident there were no more https problems lurking, but I’ll add the auto-redirect soon.

Leave a reply. For customer support issues, please use the Customer Support link instead of writing comments.